diff options
Diffstat (limited to 'tls.c')
| -rw-r--r-- | tls.c | 47 |
1 files changed, 36 insertions, 11 deletions
diff --git a/tls.c b/tls.c index 7b612b8..d387952 100644 --- a/tls.c +++ b/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.89 2021/02/01 15:35:41 tb Exp $ */ +/* $OpenBSD: tls.c,v 1.98 2023/07/02 06:37:27 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -448,6 +448,8 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke static int tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey) { + RSA_METHOD *rsa_method; + EC_KEY_METHOD *ecdsa_method; RSA *rsa = NULL; EC_KEY *eckey = NULL; int ret = -1; @@ -468,6 +470,20 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p tls_set_errorx(ctx, "RSA key setup failure"); goto err; } + if (ctx->config->sign_cb != NULL) { + rsa_method = tls_signer_rsa_method(); + if (rsa_method == NULL || + RSA_set_ex_data(rsa, 1, ctx->config) == 0 || + RSA_set_method(rsa, rsa_method) == 0) { + tls_set_errorx(ctx, "failed to setup RSA key"); + goto err; + } + } + /* Reset the key to work around caching in OpenSSL 3. */ + if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { + tls_set_errorx(ctx, "failed to set RSA key"); + goto err; + } break; case EVP_PKEY_EC: if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || @@ -475,6 +491,20 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p tls_set_errorx(ctx, "EC key setup failure"); goto err; } + if (ctx->config->sign_cb != NULL) { + ecdsa_method = tls_signer_ecdsa_method(); + if (ecdsa_method == NULL || + EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 || + EC_KEY_set_method(eckey, ecdsa_method) == 0) { + tls_set_errorx(ctx, "failed to setup EC key"); + goto err; + } + } + /* Reset the key to work around caching in OpenSSL 3. */ + if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) { + tls_set_errorx(ctx, "failed to set EC key"); + goto err; + } break; default: tls_set_errorx(ctx, "incorrect key type"); @@ -550,16 +580,12 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); - SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); - SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3); - if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) - SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); - if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0) - SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0) @@ -582,7 +608,7 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) } if (ctx->config->verify_time == 0) { - X509_VERIFY_PARAM_set_flags(ssl_ctx->param, + X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(ssl_ctx), X509_V_FLAG_NO_CHECK_TIME); } @@ -731,9 +757,8 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) tls_set_error(ctx, "failed to add crl"); goto err; } - xi->crl = NULL; } - X509_VERIFY_PARAM_set_flags(X509_STORE_get0_param(store), + X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } @@ -849,7 +874,7 @@ tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix) case SSL_ERROR_WANT_ACCEPT: case SSL_ERROR_WANT_X509_LOOKUP: default: - tls_set_ssl_errorx(ctx, "%s failed (%i)", prefix, ssl_err); + tls_set_ssl_errorx(ctx, "%s failed (%d)", prefix, ssl_err); return (-1); } } |